IPSec best performance between two RB1100AH

Hardware MikroTik hardware general
1

I’m trying to get the best performance on the IPSec tunnel between two RB1100AH routers with ROS v5.22.
Packet ecryption is a must, at least weak encryption.
My IPSec config is (for one side):

/ip ipsec proposal
add auth-algorithms=null enc-algorithms=aes-128 lifetime=30m \
    name=aes128-no-auth pfs-group=none
/ip ipsec peer
add address=10.1.0.2/32 auth-method=pre-shared-key dh-group=modp768 \
    enc-algorithm=aes-128 exchange-mode=main generate-policy=no \
    hash-algorithm=md5 nat-traversal=no port=500 proposal-check=\
    obey secret=secret send-initial-contact=yes
/ip ipsec policy
add action=encrypt dst-address=192.168.2.0/24 dst-port=any ipsec-protocols=esp \
    level=require priority=0 proposal=aes128-no-auth protocol=all \ 
    sa-dst-address=10.1.0.2 sa-src-address=10.1.0.1 src-address=192.168.1.0/24 \
    src-port=any tunnel=yes

Here are my results:
iperf with default settings - 95..100 Mbit/s, CPU usage is 70..80%
iperf with “TCP Windows Size > 100 kB” - 140..150 Mbit/s, CPU usage is 90..95%
copying files between two Windows 7 hosts - 20 MB / s, CPU usage is 100%.

Is it hardware limit of the RB1100 platform, or it’s possible to tune configuration for best performance?

Thanks!

2

Hello pyramid,

I don’t know if this helps but .. anyway .. I have also experienced some performance issues using smb protocol over ipsec tunnels too but with linux samba server and windows client … my link was not as good as yours but I managed to fine tune throughput to maximum link capability using some parameters on a linux box (smb server) … parameters which did the trick were :

socket options = TCP_NODELAY IPTOS_LOWDELAY

but you can aslo try different buffer options with SO_RCVBUF and SO_SNDBUF parameters for fine tuning …

I know this options are for samba server for linux box but I remember seeing a lot of similar parameters being used for windows server/clients on different forums. Most of them are applied using registry changes.

Hope this helps you fine tune your settings or point you to the right direction.

In my experience SMB protocol seems to be quite sensitive to latency. I avoid using it over vpn tunnels and prefer to use nfs or iscsi instead if possible.

JF